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Abstract — The security literature offers a multitude of cal- 
culi, languages, and systems for information-flow control, each 
with some set of labels encoding security policies that can 
be attached to data and computations. The exact form of 
these labels varies widely, with different systems offering many 
different combinations of features addressing issues such as 
confidentiality, integrity, and policy ownership. This variation 
makes it difficult to compare the expressive power of different 
information-flow frameworks. 

To enable such comparisons, we introduce label algebras, 
an abstract interface for information-flow labels equipped 
with a notion of authority, and study several notions of 
embedding between them. The simplest is a straightforward 
notion of injection between label algebras, but this lacks a 
clear computational motivation and rejects some reasonable 
encodings between label models. We obtain a more refined 
account by defining a space of encodings parameterized by an 
interpretation of labels and authorities, thus giving a semantic 
flavor to the definition of encoding. We study the theory of 
semantic encodings and consider two specific instances, one 
based on the possible observations of boolean values and one 
based on the behavior of programs in a small lambda-calculus 
parameterized over an arbitrary label algebra. 

We use this framework to define and compare a number of 
concrete label algebras, including realizations of the familiar 
taint, endorsement, readers, and distrust models, as well as label 
algebras based on several existing programming languages and 
operating systems. 

Keywords -Security; Languages; Design; Theory; Information 
flow control (IFC); DIFC; label models; decentralized label 
model (DLM); JIF; LIO; disjunction category model; Flume; 
HiStar; Asbestos. 

I. Introduction 

Information-flow control (IFC) systems [1] run the gamut 
from static type systems to run-time monitors and from core 
calculi to full-blown languages and operating systems. A 
critical component of each one is a label model — a notation 
for writing down information-flow labels together with rules 
for when one label flows to another, in the sense that data 
labeled with the first is allowed to flow to contexts labeled 
with the second. These labels can be thought of as low-level 
"micro-policies" for information flow. They do not directly 
describe the end-to-end security policies that the system's 
users might care about ("my banking information will never 
be sent to evil . com"); rather, they capture information- 
flow invariants on specific sensitive values ("this integer and 
values derived from it should only be visible to the Bank 



principal"), which can be used by programmers to enforce 
and reason about higher-level security properties. 

Label models come in a bewildering variety of shapes and 
forms. A theoretical discussion of IFC might typically use 
a very simple model with just two or three labels (_L C T 
or public C secret Qtopsecret), or else assume an arbitrary 
lattice of labels. Or a label could be defined to be a set of 
principals, interpreted either as the set of entities that are 
allowed to read a given value or as the set of entities that trust 
or endorse it, or perhaps as the set of entities that may have 
tainted it. More complex systems use sets of sets, logical 
formulae, or other structures as labels. Some systems — e.g., 
those based on the Decentralized Label Model (DLM) [2] — 
include a notion of policy owners, distinct from readers, 
tainters, or endorsers, enabling programmers to control not 
only who can use labeled values but also who can change their 
labels by declassification. Some systems focus on protecting 
secrecy, others integrity, and still others incorporate both. 
The list of possible variations seems endless. 

Many questions now arise. Which label models are best for 
which purposes? What common structure might we expect 
every label model to have, beyond a simple flows-to ordering? 
Can all the label models used in real systems be viewed 
as instances of this common structure, or are there deep 
differences between them? What generic operations can be 
performed on arbitrary label models? Can the common dictum 
that "integrity is formally dual to secrecy" be given a rigorous 
explanation? Is some label model M i "more expressive" than 
a model At 2, in the sense that, given a program written in 
terms of A4\, we can obtain a program over M.2 (with the 
same behavior!) by rewriting labels in some systematic way? 
Such questions are rarely discussed, but they seem essential 
to a thorough understanding of IFC. 

Our goal in this paper is to initiate the comparative 
study of label models by providing a concrete mathematical 
framework and investigating how it applies to label models 
found in the wild. We define label algebras, an abstract 
presentation of the mechanisms of information flow and 
authority common to many label models. On top of this, 
we define a simple programming language — an untyped 
lambda-calculus with dynamic information-flow tracking and 
declassification — parameterized by an arbitrary label algebra 
(§111). We give a generic proof of (an authority-enriched 
generalization of) a standard non-interference property. 



From the definition of label algebras, we directly obtain an 
algebraic notion of injections — maps that preserve and reflect 
the structure of label algebras — as a natural, algebraically 
justified way of formalizing claims of the form "label algebra 
Mi can be faithfully encoded in A4 2 -" However, this notion 
of encoding is quite strong — so strong that some intuitively 
reasonable embeddings fail to be injections. (For example, the 
label algebra of conjunctions of literals cannot be injected 
into the label algebra of conjunctions of disjunctions of 
literals, although the latter seems intuitively "more expressive" 
than the former.) Moreover, we would like our notion 
of embedding to have some semantic justification. We 
therefore introduce a generic notion of semantic embeddings 
between label algebras (§IV), parameterized by the choice 
of "semantics": different semantics may lead to different 
notions of embeddings. We study embeddings for two 
different semantics: a boolean semantics, which focuses on 
an observer's possible observations of labeled boolean values 
in a given label algebra, and an evaluation semantics, which 
additionally takes into account the behavior of computations 
over labeled data. For each of them, we derive an algebraic 
characterization theorem that can be used to verify the 
existence or nonexistence of embeddings. 

Finally, we use these concepts to define and study a number 
of concrete label algebras, including simple examples that 
illustrate dimensions of the design space of label models, 
realizations of the familiar taint, endorsement, readers, and 
distrust models (§V), and more complex examples based 
on real-world languages and operating systems (§VI). In 
particular, we define label algebras corresponding to the 
disjunction category (DC) model [3], the Decentralized Label 
Model (DLM) [2] without principal hierarchies, Asbestos [4], 
HiStar [5], [6], and Laminar [7]; we also discuss Flume [8] 
and show that its labels are a little more flexible than what 
label algebras can represent. We settle the existence or non- 
existence of embeddings among all of the simple examples 
and some of the real-world ones — in particular, we show that 
(the secrecy part of) the DLM with no principal hierarchy 
cannot be embedded in the DC model (we conjecture the 
converse embedding is impossible too), but that, when 
authorities are not considered, embeddings between the 
underlying label lattices do exist in both directions. Finally, 
we discuss models with principal hierarchies (such as the 
full DLM [2]) and show how these can be modeled as 
a component of the authority structure of a label algebra 
(§VII). A known order-theoretic weakness of the DLM with 
a principal hierarchy prevents it from satisfying all the 
requirements to be a label model, but we can complete 
its order structure to yield a label algebra with nearly the 
same behavior. 

We survey related work in §VII1 and sketch directions for 
future work in §IX. 

Two important caveats should be mentioned at the outset. 
First, our definition of label algebra covers just a small 



set of core features — labels, label ordering, authority, and 
defaults — omitting some of the interesting complexities 
associated with real- world label models. In particular, this 
paper does not address dynamic generation of principals 
and authorities, although we briefly sketch an extension of 
label algebras that handles this feature in §IX. Second, since 
evaluation embeddings are defined in terms of computation, 
their properties necessarily depend on the details of the 
programming language under consideration; adding other 
features such as first-class labels will change some of our 
results. This specificity is inherent to our approach; indeed, 
we show that injections are the only form of encoding that 
is system independent. 

We have verified most of our theorems with the Coq proof 
assistant [9] (these theorems are labeled with the symbol «£). 
The full Coq development can be found at http://www.cis. 
upenn. edu/~bcpierce/papers . 

II. Label Algebras 

Basic definitions. Recall that a pre-lattice is a preorder with 
meet and join operations. Note that there may be cycles in a 
preorder (x < y and y < x with x 7^ y). 

II.l Definition: A label algebra M. comprises: 

• a pre-lattice of labels (£,, Q U) 

• a lower-bounded join pre-semilattice of authorities 

(A<,v,o), 

• for each authority A, a flows-to relation \— A on C, such 
that: 

1) Eo = E 

2) if A < A' and Li C A L 2 , then Li Q A > L 2 

3) each (£, \—a, n, U) is a pre-lattice 

• a designated default label L de f 

We write L\ =a L 2 when L\ \—a L 2 and L 2 \—a L\\ 
we write = to denote =0; we also write A\ = A 2 when 
At < A 2 and A 2 < Ai. We write LA for the set of label 
algebras. 

The main structure in a label algebra is the set of labels, 
which must form a pre-lattice — i.e. labels must be equipped 
with a pre-order C and a greatest lower bound n and a least 
upper bound U. 

Authorities can be understood as permissions to bend 
the rules of information flow, allowing more flows between 
labels. The least (or empty) authority, written 0, carries no 
privilege: the relation C 0 is exactly the flows-to relation of the 
underlying pre-lattice of labels (axiom 1 about authorities). 

The authority-indexed flows-to relations are compatible 
with the ordering on authorities (axiom 2): increasing 
authority makes it easier to flow from one label to another. 
Declassification (or downgrading) is the exercise of authority 
to permit a flow that would not otherwise be allowed. The 
0-authority flows-to relation describes the flows that are 
always allowed. 



Axiom 3 requires that all the pre-lattices in the family have 
the same joins and meets — i.e. joins and meets don't depend 
on authority. Remember that in a pre-lattice, joins and meets 
are unique up to equivalence. Axiom 3 is consistent with the 
fact that information flow analyses combine labels in a way 
that is independent of the authority that a piece of program 
could use. 

Many label models have distinguished bottom and top 
labels, but we do not ask the label pre-lattices to be bounded. 

The last bullet in the definition specifies that there should 
be a designated default label. That label could be used, 
for instance, to annotate all data values by default, unless 
they have been downgraded. This is useful when labels are 
used for endorsement: by default, a data value starts out life 
endorsed by no one (i.e., with a high label), and its label 
gets lowered only by the explicit exercise of authority. In 
the evaluation semantics defined in §IV, this is achieved by 
using the default label as the starting value of the pc label 
when a term is evaluated. 

Examples. We will see many examples of label algebras in 
§V and §VI; for now, let's look at just a few simple ones. 

Most label algebras are defined over some enumerable set 
of principals, written P. We write p for specific principals, 
P for sets of principals, and 'P(P) for the set of sets of 
principals. It is sometimes convenient to consider V(F) as a 
lattice, with intersection and union corresponding to meet and 
join. Similarly, Vfi n (P) is the set or lattice whose elements 
are finite sets of principals. 1 is the unit lattice; its single 
element is written either _L or 0. 

One very simple label algebra is the public / secret model, 
which we call 2 for short; it is also sometimes called the 
binary model [10]. Its set of labels is a two-point lattice, and 
it has only one authority. 

2: Public / Secret Model 



_LCT L de f = _L 



A more interesting label algebra is the readers model 
(written CR, rather than just R, for consistency with a group 
of related label algebras that we will encounter in §V). 

CR: Readers Model 

' £ = -pM(p) u {P} L def = P ' 
A = V fin (¥)U{¥} A 1 <A 2 = A 1 CA 2 
Li L 2 = Li U A D L 2 

i i 

Its labels are either the full set of principals or one of its 
finite subsets, ordered by reverse inclusion. Intuitively, the 
principals in a label are the ones who may read some piece 
of data. Its default label is P (which is the bottom element of 
the label lattice) — i.e. anybody is allowed to read data with 
the default label. A value labeled with some set of principals 



can freely be relabeled with a smaller set (fewer allowed 
readers) — in particular, in the labeled lambda-calculus in 
§111, it will always be legal to take a value with the default 
label and relabel it (restrict its readership) to some finite 
set of principals. Authorities are sets of principals, and an 
authority containing a principal p permits flows from labels 
not including p (i.e. data that p cannot read) to labels where 
p is allowed as a reader. For example, it is legal to relabel 
a value labeled {q, r} into one labeled {p, q, r} using the 
authority {p, s}. The top element of the authority lattice, P, 
is an omnipotent authority: it allows any flow whatsoever. 
We do not expect it to be used by any actual program or 
observer. 

Another simple label algebra is the endorsement model 
(CE). It differs from the readers model only in its default 
label, which is the top element. The principals in a label 
indicate who has endorsed some data value. By default, 
nobody endorses anything. 
CE: Endorsement Model 



C = V fin (F)U{F} L de f=<D 
A = T fin (¥)U{¥} A X <A 2 
L\ Qa L 2 — L\U A D L 2 



Ax C A 2 



Operations on label algebras. The space of label algebras is 
closed under some simple operations, including dualization 
and product; these can be useful for describing examples 
compactly. 

Suppose M is a label algebra. Its dual, M op , is obtained 
by reversing the \—a relations: 
M op : Dual of M 



C o P = £ 

Ll t° P L 2 : 

Li C° p L 2 



A op =A 
= L 2 \Z A Li 



u op = n n op = u 

( L def\op = L def 



Because authorities have no top element in general, we 
do not invert the authority structure (there would be no 
canonical way of choosing a bottom authority). Moreover, 
because there is no canonical "complement" for the default 
element, we keep it the same. 

Suppose Mi and M 2 are two label algebras. We define 
their product Mi x M 2 as follows: 
Mi x M 2 : Product of Mi and M 2 

' C = Ci x C 2 A = A~i x A 2 iM = {Lf f ,L d 2 ef ) 

(Li,L 2 ) E(Ai,A 2 ) (L'i,L 2 ) = (Li Q Al L'i A L 2 C A2 L' 2 ) 
i i 

Real world systems often combine secrecy and integrity 
into a single model by taking a label algebra of the form 
M x M op for some M (see §VI). 

We can also drop the authority part of an arbitrary label 
algebra. (We will use this operation several times in §V and 



§VI.) Given a label algebra M, its ^-authority projection, 
written M°, is defined as follows: 
M°: O-authority projection of M 

i 1 

C°=C A° = l Ll ^ I 2 = ilCL 2 L de]° =L deJ 
I I 

Label algebra morphisms and injections. We compare the 
expressiveness of label algebras by studying the absence 
or existence or certain kinds of maps between them. We 
begin with a very loose notion of maps and then consider 
morphisms — i.e. structure-preserving maps — and injections — 
i.e. structure-reflecting morphisms. Later (§IV), we define 
embeddings — i.e. semantics-preserving and reflecting maps — 
which will be our real objects of study. We will see that 
any injection is an embedding (Theorem IV.7), but that 
embeddings are not necessarily morphisms (Theorems IV.8 
and IV. 10). 

11.2 Definition: Given two label algebras Mi — 
(C\,Ai, . . .) and M 2 = {C 2l A 2l • • ■)> a label algebra map 
m from Mi to M 2 , written m e Mi — > M 2 , is a pair of: 

• a function (also written m) from C\ to C 2 , and 

• a function (also written m) from Ai to A 2 . 

11.3 Definition [Morphism]: A map m e Mi -> M 2 is a 

morphism when: 

• Li C A L 2 implies m(Li) Q m (A) m(L 2 ) 
. m(Lf) = Lf 

• Li = L 2 implies m(Li) = m(L 2 ) 

• m(Li U L 2 ) = m(Li) U m(L 2 ) 

• m(L x n L 2 ) = m(Li) n m(L 2 ) 
. m(0i) = 0 2 

• Ai = A 2 implies m(^4i) = m(A 2 ) 
. m(Ai V A 2 ) = m(Ai) V m(j4 2 ) 

A morphism is a structure-preserving map: it is mono- 
tone, preserves the default labels and the bottom authority, 
commutes with joins and meets, and preserves equivalence 
classes. We have chosen the most natural definition for a 
structure preserving map. One can notice however that some 
items in the definition are redundant. For instance, item 3 is 
implied by the conjunction of item 1, item 7 and axiom 1 
of label algebras. 

11.4 Definition [Injection]: A morphism m e Mi -> M 2 
is an injection when: 

• m(Li) Em(A) m(L 2 ) implies L x C A L 2 ; 

• m(Ai) = m(A 2 ) implies Ai = A 2 ; 

• m(Li) = m(L 2 ) implies L\ = L 2 . 

In that case, we write m <E Mi M 2 . We write Mi ^ 
M 2 if there exists m £ Mi ^ M 2 , and we say that Mi 
injects into M 2 . 

Injections are morphisms that also reflect the structure: 
they reflect the authority-indexed flows-to relation and the 
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Figure 1. Syntax of terms, values, atoms and environments. 



equivalence classes. Note that injections also necessarily 
reflect the orderings on labels and on authorities. Our notion 
of injection is reminiscent of the notion of order embedding 
(i.e. order-preserving and reflecting functions). 

II.5 Proposition: The relation =-> between label algebras is 
reflexive and transitive. 

Given the strong algebraic flavor of injections, one could 
consider that they would make a good definition of embed- 
ding. It turns out that they are too constraining: they ask for 
the whole structure to be preserved and reflected, whereas 
a given information-flow system or language may use the 
flows-to relation only (as in DStar [11]), while another one 
may additionally use joins but make no use of meets (like 
the toy A-calculus of §111), and yet another may use both 
meets and joins (like Jif [2]). In these cases, why should 
embeddings talk about the label algebra ingredients that a 
system does not use? The next two sections develop a more 
refined notion that takes these issues into account. 

III. Labeled Lambda-Calculus 

We now define a small programming language Xm param- 
eterized by a label algebra M. For simplicity, we choose an 
untyped language with dynamic information-flow tracking, 
similar to that of [12]. 

Syntax and semantics. The syntax of Avt, together with 
the sets of values and labeled values (atoms), is shown 
in Figure 1. Its syntax comprises booleans, variables, A- 
abstractions, applications and a construct t $a L to relabel 
the result of the evaluation of t with the constant label L 
using authority A. Note that in this tiny language labels and 
authorities are not first-class: they can only occur in the 
relabeling construct. 

The fact that the language Xm is so small and simple 
is a deliberate choice: for example, there is no construct 
that controls who can exercise which authority. While it may 
look unrealistic, this modeling simplification permits to easily 
define the static authority of a program (Definition III. 1). 

The big-step operational semantics of A^vt is given in 
Figure 2. The evaluation judgment has the form pc,p h 
t JJ- a. Evaluation produces atoms, denoted by a, which are 
labeled values. We write v@L to denote the atom whose 
value component is v and whose label is L. The environment 
p maps variables to closed atoms. 

The label pc is the program counter label; as usual, it tracks 
implicit flows of information through the control state of the 
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Eval App 



Eval Relabel 



Figure 2. Big-step semantics. 

program. The pc label is modified by branching over a secret 
value: in particular, the pc label may change when a function 
is called (third premise of rule Eval_App). If our language 
had other control constructs such as conditionals, they would 
need similar side conditions. In the variable lookup rule, the 
label on the variable's value from the environment is joined 
with the current pc label to form the label on the result, 
reflecting the fact that the choice to look up this variable 
(as opposed to another one, for example) may have been 
influenced by sensitive information. This detail is crucial for 
the non-interference theorem (IH.3). 

We can lift a label algebra map to to a function to on 
programs (resp. values, atoms, environments) as a term 
homomorphism (resp. values, etc.) that transforms label 
constants and authorities using to and copies everything 
else unchanged. The operation of lifting label algebra maps 
commutes with composition of maps, and transforms the 
identity map into the identity function. 

Basic properties. We now establish some fundamental results 
about Am — in particular, a standard non-interference property. 
This is mainly a sanity check on our labeled lambda-calculus: 
the only part of this development that is used in later sections 
is Definition III.2. 

111.1 Definition: The authority of a program t, written 
Auth(t), is the join of all the authorities that occur in t. 
The definition is lifted to atoms, values, and environments. 

The relation «^ expresses indistinguishability of booleans 
for observers at label L and authority A. 

111.2 Definition: b\@Li zzh b 2 @L 2 iff either 



L\%aL and L 2 %aL, or 

L\ L and L x = L 2 and bi 



Note that this relation is an equivalence. 

III.3 Theorem [Non-interference]: If 

• pc, pi h t JJ bi@L\ and pc, p 2 h t JJ b 2 @L 2 , 

• dompi = domp 2 and pi(x) P2{x) for every x € 
domp!, 

. Auth(t) < A, 
then bi@Li b 2 @L 2 . 



A point to note about the non-interference theorem is the 
mention of authority in its third assumption: the theorem 
requires the observer to have at least the same authority as 
the one of the program that is observed. This assumption 
permits the observer to perform all the downgradings that 
the program could perform, and thus gives more precision 
to the observation. (Removing the assumption would falsify 
the theorem: the new statement would say that all programs 
would be non-interfering in the usual sense, even those which 
downgrade labels.) 

IV. Semantics of Labels 

Now we can return to the question of what it means 
to claim that "Label model M 2 can encode label model 
Aii'. We can give at least two interpretations of this claim 
with a firm basis in semantics — that is, in some notion of 
observation. The first is based on the notion of observation 
of boolean values from Definition LTI.2; we call maps that 
preserve and reflect such observations boolean embeddings. 
The second is based on observing the results of evaluation 
of programs; we call maps that preserve and reflect these 
observations evaluation embeddings. The latter interpretation 
is probably the more interesting one, since it is ultimately 
the behavior of whole programs that we are concerned 
with, but the first is also worth studying because claims 
about encodability of one label model in another are often 
justified by appealing to a static embedding of labels, without 
reference to the behavior of programs using those labels. 

It is technically convenient to derive both interpretations 
from a common framework. In this section we define a 
general notion of semantics for labels, from which arises a 
generic notion of embedding. We connect this semantic notion 
of embedding to the injections that we have seen earlier. Then, 
we present the boolean and evaluation embeddings as two 
instances of that general framework. 

Basic definitions. We write 1Zi^1Z 2 when TZ\ is a coarser 
relation than 1Z 2 — that is, when 1Z 2 CRj. 

IV.l Definition [Label semantics]: A label semantics is a 
label-algebra-indexed family of sets X = {Xj^MeCA 
together with a function 



(M : CA) -> (Am x C 



M 



BinRel(<Y. 



M 



bo. 



that maps each pair (A, L) of an authority and a label from 
the same label algebra M to a binary indistinguishability 



relation on X M . The notation (M : T) — > [/ denotes 
a dependent product. Since can be recovered from A 
and L we elide the first argument and write [(A, L)\ for 
[•] X (A,L). 

Below (Definitions IV.3 and IV.4), we will define two label 
semantics — one a semantics of boolean atoms (where Xm 
is the set of boolean atoms over M), the other a semantics 
of programs (where Xm is the set of programs over M). 

This definition of label semantics is quite loose; in what 
follows, we restrict ourselves to good semantics. 

IV.2 Definition [Good semantics]: A label semantics |-J is 
good if: 

1) A 1 < A 2 implies l(A u L)\ < l(A 2 ,L)j 

2) L x C A L 2 implies {(A, Li)} £ {(A,L 2 )} 

3) X is equipped with an action of label algebra maps — 
i.e. for any m G Mi — > M 2 , there is a function 

fh G Xm x — > %m 2 such mat id = id and mTo~m 2 = 

TOl O TO2 

4) [•] is invariant under injections, i.e. for any in- 
jection meXi H M 2 and any x, y, A, and L, 
we have (x,y) G [(A, £)] iff (m(x),m(y)) G 
[(m(A),m(L))]. 

The first two points require that a semantics captures 
a notion of observation: the relation [(A, L)] describes 
an observer with authority A and clearance L, and its 
observations get finer when one raises its authority or its 
clearance. Point 3 asks that it makes sense to apply a 
label algebra map to the objects that are observed. This 
is crucial, as we will see later that our notion of embedding 
is based on the changes that the application of a map could 
produce on observations. The action of label algebra maps on 
objects will be the key ingredient for transitive reasoning on 
embeddings (Proposition IV.6). Point 4 requires the semantics 
not to distinguish two label algebras that are the same up 
to injections. Take for instance the label algebra CR' that 
is the same as CR, except that labels and authorities are 
lists of principals instead of finite sets. There is clearly an 
injection m from any of these two label algebras to the other 
one: they are indeed morally "the same". Point 4 rules out 
any semantics [■] where l(A, L)J would be different from 
l(m(A) , m(L))J . We will see later that a consequence of 
point 4 is that injections necessarily preserve and reflect good 
semantics (that is one half of Theorem IV.7). 

In the rest of the paper, we consider two semantics: 
the boolean semantics is exactly the indistinguishability 
relation used by the non-interference theorem (III. 3); the 
evaluation semantics is a semantics of programs, and relates 
programs that lead to indistinguishable booleans when they 
are evaluated in the empty environment, starting with the 
default label. 

IV.3 Definition [Boolean semantics]: The boolean seman- 
tics, written |-] b is defined as follows: I(A,i)] b = w^. 



IV.4 Definition [Evaluation semantics]: The evaluation se- 
mantics, written |-] e is defined as follows: f(A, L)} e = 
{(ti.fc) | L de f,m h d | M£i and L^,. h t 2 

b 2 @L 2 and b\@Li «^ b 2 @L 2 }. 

Note that the evaluation semantics is the first definition 
that makes use of the default label of label algebras. 

Both the boolean semantics and the evaluation semantics 
are good (*t ). For the evaluation semantics, we picked a 
particular partial equivalence on programs: it is rather simple 
but already interesting. It is also natural to consider different 
semantics (e.g. closed under contexts, dealing with non- 
termination, trace-based. . .). We leave that for future work. 

Label algebra embeddings. We now define some properties 
that characterize label algebra maps that behave well with 
respect to some semantics. 

IV.5 Definition [Sound, Complete, Embedding]: 

Suppose m G A4\ — » A4 2 and [•] is a label semantics. 

• We say that m is sound with respect to [•] if (x,y) G 
l(A, L)j implies (rh(x),m(y)) G {{m{A),m{L))\ for 
any A, L, x, and y. 

• We say that m is complete with respect to [•] if 
(rh(x) , m(yj) G \{m(A), m(L))\ implies (x,y) G 
l(A, L)j for any A, L, x, and y. 

• We call m an embedding with respect to [•] (written 

m G A4\ <— !■ Ai 2 ) if it is both sound and complete. 

• Mi embeds in M 2 for the semantics [•], (written 

Mi c — > Mi) if there exists a function m such that 

m G Mi <-*■ M 2 . 

Intuitively, a sound map can only decrease the power of 
an observer to distinguish, whereas a complete map can 
only increase distinguishing power. Embeddings are the 
maps that do not change the power of the observer. We'll 
see that different label semantics lead to different kinds of 
embeddings. 

For any good semantics, embeddability allows transitive 
reasoning, thanks to item 3 of definition IV.2. 

IV.6 Proposition: For any good label semantics [•], the 

relation =-> on label algebras is reflexive and transitive. 

The notion of embedding is weaker than the notion of 
injection, and an injections are the "best" embeddings for 
good semantics. 

IV.7 Theorem: Let M\ and M 2 be two label algebras. 
Mi c — > M 2 iff for any good semantics [■], Mi M 2 . *$ 

This theorem explains that injections form the most precise 
notion of encoding: embeddings are less precise, and the loss 
of information is specified by the semantics one has chosen. 
The proof of that theorem relies on item 4 of definition IV.2 



for one way of the implication; the other way is proved 
by defining a good semantics for which embeddings are 
necessarily injections. 

Directly proving or refuting embeddability statements 
between label algebras under a given semantics can be 
a difficult task. To make it easier, the next two sections 
are devoted to establishing algebraic characterizations for 
boolean-embeddability and evaluation-embeddability. 

Boolean embeddings. We write A to denote embeddability 
with respect to the boolean semantics. 

IV.8 Theorem [Characterization of A]: A label algebra 
map m G My ^ M 2 is a boolean embedding iff for any 
Ly,L 2 e £y and A e Ay. 

1) Li C A L 2 iff m(Li) Em(A) rn(L 2 ); 

2) Ly = L 2 iff m(Li) = m(L 2 ). 

Note that the second item is not implied by the first since 
we know nothing about the image of the bottom authority. 
Also, note that the default label does not occur in the 
characterization of boolean embeddings since it is not used 
in the definition of the boolean semantics. Thus, boolean 
embeddings enjoy the following property. 

IV.9 Proposition: Let My and M 2 be two label algebras 
differing only in their default labels. Then, My M 2 . 

Evaluation embeddings. We write A- to denote embeddabil- 
ity with respect to the evaluation semantics. 

g 

IV.10 Theorem [Characterization of ^]: A map m e 

Mi — > M 2 is an evaluation embedding iff for any 

A, A' e Ai, and L,Ly,L 2 e Cy: 
. m(Lp = Lf; 

• if L-y Qa> Li, then Li \—jy L 2 iff m{Ly) E TO (A) 
m(L 2 ); 

• if L ls then Li = i 2 implies m(Li) = m(L 2 ); 
. if Lf y C A Li and £ 2 , then m(Li U L 2 ) = 

m(Li)Um(L 2 ). 4 

Boolean and evaluation embeddings are incomparable no- 
tions. In evaluation embeddings, unlike boolean embeddings, 
defaults must be mapped to defaults (up to equivalence). 
Conversely other properties, which recall the characterization 
of boolean embeddings, are only required to hold for labels 
that can be put above the defaults using some authority. Com- 
pared to injections (Definition EL4), evaluation embeddings 
do not require commutation with meets or with authority- 
joins. Also, most laws do not have to hold for labels that 
are not above the defaults. The fact that labels that are not 
above iM don't matter in the characterization of evaluation 
embeddings is a direct consequence of the fact that L de f is 
the starting pc label of programs: it is an invariant of the 
evaluation judgment that labels of results stay above the pc 
label (using the program's authority). 



The proof of the characterization theorem (like its state- 
ment) is somewhat intricate because it relies on complex 
invariants of the evaluation judgment; without the help of a 
proof assistant, it would be difficult to be confident of its 
correctness. 

Many real world examples of label algebras have a 
bottom label, used as L de f. For that case, the characterization 
simplifies as follows. 

IV.11 Corollary: Assume Mi and M 2 such that L d ^ is 
a bottom element for Cmi- Then, m e Mi — > M 2 is an 
evaluation embedding iff for any A, Ly and L 2 . 

. m(Lf / ) = L d /; 

• Li C A L 2 iff m(Li) C m(j4) m(L 2 ); 

• Ly = L 2 implies m(Li) = m(L 2 ); 
. m(Li U L 2 ) = m(Li) U m(L 2 ). 

In this special case, evaluation embeddings are also boolean 
embeddings. 

IV.12 Proposition: Assume Mi A M 2 and that Lf f is a 
bottom element for £.Mi- Then Mi M 2 - <x 

One can wonder under which conditions an evaluation 
embedding can change the default label. It turns out that 
if the default label changes from 1 to T (or from T to 
_L), then the input of the embedding must be a trivial label 
algebra. This result is particularly useful for showing the 
non-existence of evaluation embeddings. 

IV.13 Corollary: Assume My A M 2 . If Lf f = _L and 
Lff = T, then L = _L for any L E Cy. Dually, if Lf f = T 
and L d 2 ef = _L, then L = T for any L e Cy. 4 

Consequently, if the default label of a non-degenerate model 
is _L or T then, since dualization changes bottoms to tops 
(or conversely), there is no evaluation embedding between 
the model and its dual. However, when the default label is 
neither a bottom nor a top, an evaluation embedding may exist 
between a label algebra and its dual. Indeed, for any label 
algebra M, there is an injection (and thus, an evaluation 
embedding thanks to theorem IV.7) from M x M° v to 
[M x M op ) op : it suffices to take the map that swaps the 
components of a pair. 

V. Abstract Examples 
In this section, we define a number of relatively simple 
label algebras and investigate embeddings among them. 
Our goals are twofold: (1) to catalog common examples 
from the literature, and (2) to expose some interesting 
symmetries among these examples. In particular, we can 
define four familiar label models — the Taint, Endorsement, 
Readers, Distrust models — by varying the lattice order and 
default label of the same basic structure, where labels are 
sets of principals. We use the characterization theorems 
to exhaustively settle the existence or non-existence of 
embeddings among all of these simple models (Figure 4). 
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Figure 3. Universal models. In this figure, C = A = P(¥). Note that UE 
and UR have the same flows-to relation. The same is true of UT and UD. 



Universal models. We first consider four universal models: 
the Universal Endorsement, Taint, Readers, and Distrust 
models. They are "universal" in the sense that a label is 
an arbitrary — finite or infinite — subset of the whole set 
of principals. All four can be specified by varying two 
parameters: the default label and the direction of the flows-to 
relation (Figure 3). The universal endorsement model UE 
generalizes the endorsement model CE from §11: it has more 
labels and authorities, but behaves the same otherwise. In 
the universal taint model UT, a label represents a set of 
principals who have tainted some piece of data, and data is 
untainted by default; authorities are used to remove taint. UT 
differs from UE only by the orientation of its flow-to relation: 
they are duals. The universal readers model UR extends CR 
with arbitrary sets of principals as labels and authorities. The 
universal distrust model UD is the same as UT, but with a 
top default label. Labels in UD can be interpreted as sets of 
principals who distrust some piece of data (this terminology 
was proposed by [10]). The default label is P, meaning that, 
by default, everyone distrusts everything. Authority is used to 
remove a principal — i.e. to declare that it trusts some piece 
of data. UD is the dual of UR. 

Syntactic models. The universal models are not well suited 
for real languages or systems because they are not syntactic — 
in general, their labels may have no finite representation. 
However, we define "cut-down" versions of the universal 
models: CT, CE, CR and CD are versions of UT, UE, 
UR and UD where labels and authorities are elements of 
V fin (V) U {P}— i.e. either finite sets of the full set of 
principals. Even smaller are T and E, which are versions of 
UT and UE where labels and authorities are just finite sets 
of principals. (Note that UR and UD cannot be cut down to 
finite sets because their default labels are P.) 
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Figure 4. Embeddings among universal and syntactic models. Dotted 
arrows mean only boolean embeddings. 



Embeddings among universal and syntactic models. The 

relative expressiveness of the universal and syntactic models 
is summarized in Figure 4. Additionally, we have proved 
that, for these models, evaluation-embeddability coincides 
with injectability. 

Most of the embeddings are defined using the identity 
map, and it is very easy to prove that they are indeed 
embeddings. The evaluation embeddings between universal 
models, such as the one from UR to UT, are exceptions, 
since they are defined by complementation. Proving non- 
existence of embeddings is significantly harder. Most of the 
non-existence results are proved either using Corollary IV. 13 
(for evaluation embeddings between the lower and upper part 
of the diagram) or else with variants of the following lemma 
(a consequence of the pigeon-hole principle): 

V.l Lemma: There is no function from V fin (V) to V fin (P) 
that is both bounded and injective. 

The proof that there is no boolean embedding from CT to 
T is an example of where the above lemma is used: assume 
such an embedding exists, let us call it m = (mc, m_^). From 
Theorem IV.8, we know that mc is necessarily injective on 
labels (item 2). We also know (item 1) that for any L <G CT, 
m c{L) C mc{P) U m^(P). Therefore, the restriction of 
mc to finite sets satisfies the hypotheses of lemma V.l — a 
contradiction. 

Fig. 4 permits us to draw three (unsurprising) conclusions. 
First, restricting models to V fin (V) or 'P-'" 1 (P) U {P} leads to 
strictly less expressive label algebras. Second, changing the 
default label can be observed by evaluation-embeddings but 
not by boolean embeddings (as stated by Corollaries IV. 13 
and IV. 13 and by Proposition IV.9, respectively). And third, 
complementation (i.e. the composition of dualization and 
complementation of the default label) preserves embeddings 
between universal models: indeed, the complementation map 
is an injection. 

Apropos integrity. The observation that integrity can be 
treated as a formal dual to confidentiality goes back at least 
to Biba [13]. This agrees with the fact that UE is the formal 
dual of UT and and UR the formal dual of UD. Many 
real-world systems (e.g., [8], [14], [5]) have relied on this 



observation to provide unified mechanisms for both. 



VI. Real-World Examples 

We now turn our attention to formalizing the label models 
of several existing systems. While some do not perfectly fit 
the formal structure of label algebras, even partial descriptions 
in a common framework will hopefully help clarify their 
similarities and differences. Moreover, we can use these 
formalizations to study the existence or non-existence of 
embeddings. We do not settle the question for all pairs 
of examples, but we do establish several results involving 
variants of the DLM and DC models. 

Disjunction-Category (DC) labels. Disjunction Category 
labels [3] come from a Haskell security library called 
LIO [14], part of the HAILS framework for secure web 
apps [15]. DC labels have a secrecy part and an integrity 
part. We first focus on the secrecy part (DCs). 

Labels of DCs are finite boolean formulae in conjunctive 
normal form, containing no negations — i.e. finite conjunctions 
of finite disjunctions of principals. We write T to denote 
the set of such formulae. The flows-to relation is reverse 
logical entailment, written <=. Intuitively, these formulae tell 
who can observe a piece of labeled data. The C relation 
allows us to make conservative approximations about who 
is allowed to observe. True is the empty conjunction and is 
the _L element — it means that any principal can observe the 
data; False is the empty disjunction and is the T element. 

For example, the DCs label L = p 1 A (p 2 Vp 3 ) can be read 
"this data can be read by somebody that has pi's credentials 
and either p 2 s or P3's." It flows to p\ Ap2, because somebody 
that has p{s and p 2 s credentials respects the policy of L. 

Authorities are also formulae: L\ \— A L 2 means that L\ 4= 
(L 2 A A). For example, L C pi p 2 Vp 3 , because somebody 
that has either p 2 's or p 3 's credentials and the ability to use 
Pi's credentials respects L. 
DCs: DC Labels (secrecy part) 

i 1 

C = T L de f = True A = T 0 = True 

M < A 2 = Ai <= A 2 Ax V A 2 = Ax A A 2 

Lx L 2 = Lx<i= (L 2 A A) 

Lx U L 2 = Lx A L 2 LxF\ L 2 = LxV L 2 
i i 

(Formulae are kept in normal form, so, strictly speaking, 
the definitions of join and meet are up to renormalization.) 

The full DC model adds an integrity component that is 
the dual of DC S . 
DC: Full DC Labels (LIO) 

' C = FxF L de f = (True, True) 
A = T 0 = True 

Ax < A 2 = Ax <= A 2 Ax V A 2 = Ax A A 2 

{Sx, h) Qa (S 2 , h) = Sx^ (S 2 A A) and I 2 4= (h A A) 

(Sx,h)U(S 2 ,I 2 ) = (SxAS 2 ,hVl 2 ) 

(Sx,h)n(S 2 ,I 2 ) = (SxVS 2 ,hAl 2 ) 
i i 



Note that the default label is neither a top nor a bottom 
element: it is the pair of the bottom for secrecy and the top 
for integrity, i.e. the "most public" and the "least endorsed." 

Simplified DLM. We next describe a stripped-down version 
of the Decentralized Label Model [2]: we focus on its secrecy 
part only, and we defer modeling its principal hierarchy (acts- 
far relation) until §VH. Labels in DLMs are sets of policies, 
where policies are drawn from the set Pol = {p — > P \ p £ 
P, P € V fin (V)}. The sets on the right hand side of the 
arrow are called reader sets; they are akin to labels of CR 
in that they decrease as we go up in the lattice of labels. 
For instance, the label Lx = {p — > {px,P2}} says that the 
principal p allows only principals p\ and p 2 to read some 
data. Label L 2 = {p — > {px}} is strictly more secure than 
Lx — i.e. Lx CL 2 — since L 2 allows fewer possible readers. 

When (p — > P) e L, we say that principal p owns the 
policy p — > P in L. This label model is called decentralized 
because several principals can independently own different 
policies on the same data. In L 3 = {p — > {pi,p 2 },9 — > 
{pi}}, principals p and q each express a policy. The resulting 
policy is the intersection of ^s and </s policies — i.e., both 
of their policies must be enforced. Note that Lx E ^3 and 
that {q^{px}} QL 3 . 

Authorities are sets of owners. They specify which policies 
can be modified: for any p in the authority, we can arbitrarily 
change or remove policies that are owned by p, but other 
policies can only be changed to more restrictive ones. For 
instance, L 3 {q -> { Pl }} and L 3 C {p} {p -> 

{Pi,P2,P3},q-> {Pi}}- However, £ 3 !2{p}{<7 -> {pi,P2», 
because in the latter label, the security policy owned by q is 
more permissive than the one in L 3 . 

DLM S : Simplified DLM (secrecy, no acts-for) 

' c = V fin (Pol) L def = 0 A = V fin (F) 0 = 0' 
Lx U L 2 = Lx U L 2 

LxHL 2 = {p^PxUP 2 I (p^Px)eLx,(p^P 2 )GL 2 } 

Lx\=L 2 = V(p -> Pi) e L x . 3(p -> P 2 ) G L 2 . P 2 C Px 

Lx^=aL 2 = Lx E L 2 U L A where L A = {p -> 0 | p e ^4} 
1 1 

Note that a given principal can own more than one 
policy, and that this is different from owning a compound 
policy: L\ C {p — >• {px},p — > {p 2 }}, but not conversely. 
Interestingly, the intuition based on readers sets does not 
extend to the case of principals owning several policies. For 
instance, one could expect that {p — > {px},P — > {P2}} 
and {p — > 0} express the same requirement, i.e. "p says 
that nobody can read the data". However, the former label is 
strictly lesser than the latter. Here is how we understand such 
labels: the sets of the right hand side express disjunctions of 
principals, whereas the juxtaposition of two policies means 
their conjunction. We conjecture that one can isomorphically 
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Figure 5. Embeddings with DLMs and DCs- Plain arrows are boolean 
embeddings; crossed arrows denote non-existence of boolean embeddings; 
'?' means conjecture. 



represent DLMs labels as finite maps from principals to T 
(conjunctions of disjunctions of principals). 

Li et al. [10] state (informally) that the two point model, the 
writer model, the endorsement model and the distrust model 
can all be encoded in the DLM. Unfortunately, while they 
describe the lattice structures of all the models they consider, 
they do not specify their default labels, and they ignore 
authority. We will see in the next section that authorities play 
an interesting role. 

Some embeddability results. Figure 5 gathers some boolean 
embeddability results involving DCs, DLMs, and some of 
the models from §V. Note that this table represents ongoing 
work: we have not yet carried out an exhaustive exploration 
of this area. 

The first thing to notice is that neither CR nor T are 
expressive enough to express DCs of DLMs labels (this is no 
surprise). More interesting is that the presence of authorities 
sometimes precludes embeddability. For instance, DCs 0 and 
DLMs 0 , which don't have authorities, embed in each other, 
but this is not true for their authority-enriched versions (we 
have proved one way, conjectured the other): intuitively, there 
is no notion of owner of a policy in DCs, while conversely 
there is no way to form a disjunction of authorities in DLMs- 
Another instance of this phenomenon is that CR does not 
embed in DCs or DLMs, but its 0-authority version does. By 
contrast, the behavior of T is not influenced by the presence 
of authorities. For the sake of concreteness, we detail one 
embedding and one non-embeddability arrow of Figure 5. 

VL1 Proposition: T A DLM S . 

Proof: Define m(S) = \J peS {p -> 0} and m(A) = A. 
The map to verifies the conditions of Corollary IV.ll. □ 

VI.2 Proposition: CR does not boolean embed in DLM S . 

Proof: Assume that such a boolean embedding exists; let's 
call it to. 

Let us first prove (1): there exists A 0 such that for any label 
L G DCs, dom m(L) C A 0 . Take A 0 = m(0) U domm(0). 
For any label L G CR, L C 0 0, therefore m(L) E m (o) w(0) 
by Theorem IV.8. Then, dom m(L) C A 0 by definition. 

Then, let us show (2): for any A G -4cr and L\,L 2 G 



£cr, m(-Li) Q m (A)nA 0 m(L 2 ) iff m(Li) E m (A) m(L 2 ). 
The direct way holds by properties of label algebras, since 
m(A) n A 0 < m(A). Let us show the converse: assume 
m(Li) C m (A) m(L 2 ). Assume p — > Pi G m{L\). If p G 
m(A) n A 0 , then (p -» 0) G m(L 2 ) U L m ( A ) nAo , which 
concludes the proof. Assume now, that p ^ m(A) n A 0 . 
We know that p G A 0 by (1), thus p ^ m(A). Therefore, 
there exists P 2 such that p — > P 2 G m(L 2 ) and P 2 C P lt 
by definition of C in DLM S . Then, p -> P 2 G m(L 2 ) U 
L m (A)nA Q , which concludes the proof that m(L{) E TO (A)nA 0 
m(L 2 ). 

Let us consider the function / = A A. AdAq. Let us show 
that / is injective. Assume that m(Ai) n A 0 = m(A 2 ) n 
A 0 (3). Then, for any L\ and L 2 : 



L\ Eai L 2 
iff m(ii) Em(Ai) m(L 2 ) 
iff to(Xi) Q m ( Al )nA 0 m(L 2 ) 



iff to(Li) C 



m(L 2 ) 



iff m(ii) C m (A 2 ) m(L 2 ) 
iff Li n A . 2 L 2 



by Theorem IV.8 
by (2) 
by (3) 
by (2) 

by Theorem IV.8. 



Then, since 0 \Z A2 A 2 , we have 0 \Z Al A 2 (by taking L\ = 0 
and L 2 = ^2), i-e. A 2 C Ai. Similarly, since 0 Ai, we 
have 0 C A2 Ai, i.e. A x C A 2 . We proved A1 = A 2 . Thus, 
/ is injective. The function / is also bounded by A 0 , which 
contradicts Lemma VI. Therefore, the embedding to cannot 
exist. □ 

These examples show that authorities should be included 
in discussions of encodability between label models, as they 
can lead to surprising results. And informal claims about the 
expressive power of label models really need to be taken 
with a grain of salt! 

Asbestos. Asbestos [4] is a high-security operating system 
based on information flow. Its labels are maps from principals 
to security levels. Level is the set {*, 0,1,2,3} equipped 
with the total order *<0<1<2<3. Labels are composed 
of a finite map from principals to levels, plus a default level 
for the principals {"categories") that are not mentioned in the 
map. If L = (/, I) G (P ^ Level) x Level, let L(p) denote 
f(p) when p G dom / and the default level I otherwise. The 
ordering on labels is the pointwise extension of the level 
ordering. 

Each Asbestos process owns a set of "privileges," i.e., a 
set of principals: if p is in that set, a process is allowed to 
freely change the level owned by p in a label L, a la DLM. 

Asbestos: 

1 1 

C = (VH Level) x Level L def = ({}, 1) 

A = V fin (V) 0 = 0 

Li L 2 = Vp,p G A or L 1 (p) < L 2 (p) 



Early HiStar. Different descriptions of the HiStar operating 
system propose somewhat different notions of labels. The 
earliest version [5] uses labels inspired by Asbestos, but with 
several differences in the way they are used — e.g., thread 
label changes are required to be explicitly stated. In the rest 
of the section, we focus on differences with respect to labels. 

The main difference is the way untainting (reclassification) 
is handled. In HiStar, the level * is a privileged level that 
can only appear in thread labels (as opposed to other kernel 
objects, such as files), where it confers the right to untaint a 
principal. It is low in the lattice (below the default level) so 
that threads need authority to gain untainting privileges. 

When a thread with label L T attempts to observe an 
object with label Lo, common information-flow rules would 
require that Lo ^=Lt- However, that would not correspond 
to * being an untainting privilege, since its low position in 
the lattice prevents flows instead of allowing more flows. The 
authors explain that the meaning of * is either bottom or top, 
depending on the situation. For that purpose, they introduce 
a special level © (high star) that behaves like a maximum 
level, but is not really part of the lattice of levels: "level 
© is only used in access rules and never appears in labels 
of actual objects". Now, the actual read check is Lq CL®, 
where L® is the label Lt in which every occurrence of * is 
replaced with the special top element ©. 

As it stands, HiStar does not fit the label algebra interface, 
though we conjecture and it is possible to recast the 
definitions so that labels do form a label algebra. Indeed, 
the fact that * occurs in a thread label is a way to express 
the privileges that are owned by that thread. We can define 
Auth(L) = {p | L(p) = *}: it is the authority of a thread 
that has L as a thread label. Then, under the assumption 
that * does not occur in L\, L\ C Lf is equivalent to 
Li ^Auth(L 2 ) L 2 , where the indexed flows-to relation is the 
one of Asbestos. (Note that our assumption about L\ makes 
sense, since L\ is supposed not to be a thread label.) We leave 
the details of this reconstruction of HiStar to future work 
(but it probably does not warrant very high priority, since 
HiStar's original label model was in any case subsequently 
abandoned by its designers). 

Later HiStar & DStar. The DStar system [11] and the more 
recent version of HiStar [6] use a much simpler form of labels 
that does fit our framework. Their labels are pairs of finite 
sets of principals (one for secrecy, one for integrity). Indeed, 
the only difference from T x E is that DStar's set of secrecy 
principals is disjoint from its set of integrity principals. 

Flume & Laminar. In the Flume [8] and Laminar [7] 
information-flow operating systems, labels are pairs of sets 
of principals ('Hags"), one for secrecy, the other for integrity. 
Like the latest HiStar, these labels are essentially the product 
of the taint model with the endorsement model. 

However, Flume has a notion of authority that makes 



Flume: not a label algebra 

' c = V fin (P) x V fin (¥) L def = (0, 0) ' 
(Si,h) Q(S 2 ,h) = Si C S 2 and h 2 h 

A = V fin (¥) x V fin (¥) 0 = (0,0) 

(C+ CD < (C+, C7) = C+ C C+ and Cf C C 2 " 

(Si,/i) C( C+|C -) (S 2 ,l 2 ) = 

S 2 \ Si C C+ and Si \ S 2 C C~ 

and I 2 \ h C C+ and h \ h C C~ 
1 1 

Figure 6. Flume labels and authorities. 

the description above inaccurate: authorities are sets of 
"capabilities", which are principals equipped with a polarity 
annotation, positive or negative. A positive capability permits 
adding a principal to a label (in whichever component), 
whereas a negative capability allows removing a principal. 
That behavior of authorities is captured in Figure 6. 

The definition does not form a label algebra, because using 
the least authority is not the same as using no authority: C 0 
is the equality relation on labels, which is different from the 
relation C of the underlying lattice. This refinement makes 
Flume more flexible: the way thread labels can change is 
completely programmable, which gives programmers a lot 
of freedom to define the shape of the lattice. In practice, 
we don't know whether programmers actually used all this 
flexibility. If not, we can easily restrict Flume to yield a 
label algebra by using disjoint principals for confidentiality 
and integrity and by always giving threads the p + authority 
for confidentiality principals p and the q~ capability for 
endorsement principals q. 

VII. Principal hierarchies 

Several information-flow systems (e.g., Jif [2] and Aeo- 
lus [16]) allow users to define a hierarchy of principals, often 
called an acts-for relation, which can be used to delegate 
authority between principals and to implement authorization 
groups. Because the goal of principal hierarchies is to relax 
the rules of how information can flow, they can be viewed 
as part of the authority structure of a label algebra. 

Formally, a principal hierarchy is a partial order over prin- 
cipals. Let H denote the set of all such partial orders. When 
H e % and {pi,p 2 ) G H, we say "p 2 acts for pi (under "H)." 
The bottom principal hierarchy is Hq = {(p,p) \ p € P}, 
because by default, each principal acts for himself. We also 
need to add a top element to %, because label algebras require 
a join on authorities: without that top element, it would be 
impossible to fulfill that requirement. Indeed, "joining" two 
partial orders leads in general to a preorder: cycles can appear. 
Here is an example of that phenomenon: suppose that p acts 
for q in Hi, and that q acts for p in H 2 . If Hi V H 2 existed 
as a partial order, then p would necessarily act for q under 
Hi V H 2 and vice versa — a contradiction. Adding a top 



DLM S -H: not a label algebra 

' c = V fin {Pol) A = {T} + (nxV fin (P)) 
0 = (H 0 ,9) 
(H, P) < T = true 

(Hi, Pi) < (H 2 ,P 2 ) =HiQH 2 and P x C P 2 
(Hi, Pi) V (H 2 ,P 2 ) = ((Hi U H 2 )+,Pi U P 2 ) 

if (Hi U H 2 ) + is a partial order 

AiV A 2 = T otherwise 
Li C T L 2 = true 

E(i?,0) L 2 = V(pi -> Pi) e £1, 3(p 2 -> P2) e L 2l 
(f>i,f> 2 ) € if and 
Vp 2 eP 2 ,3Ke J Pi,(p / i,P 2 )e J ff 

ii E(/r,A) ^2 = 

Li E(j?,0) L2 LI La where L^ = {p -» 0 | p e A} 



Figure 7. DLMg with principal hierarchy. 

element is a technical expedient that allows us to turn a 
partial join into a total one: top can be understood as an 
"invalid" principal hierarchy. 

To illustrate how this might work, Figure 7 gives a defini- 
tion of DLMs-H — the extension of DLMs with principal 
hierarchies. Authorities are pairs of a hierarchy and a set of 
principals; as in DLMs, this set is used to remove policies 
from labels. The relation Q(h 0 ,a) of DLMs-H is exactly 
the relation C A of DLM S . 

However, DLMs-H is not a label algebra, because the 
l~l operation on labels does not necessarily define the 
greatest lower bound of labels. (This was already noted 
by Myers [17].) 

We can add principal hierarchies to other label algebras in 
a similar way, leading to similar problems in most instances. 
The following table sums up the effect of that change on 
the joins and meets of some of the label algebras we've 
discussed. The checkmark / indicates that joins (resp. meets) 
remain least upper bounds (greatest lower bounds); the cross 
X denotes that joins (meets) are not the best upper bound 
(lower bound). 
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Interestingly, none of the set-based models of §V extends well 
with principal hierarchies (some of them lose joins, others 
lose meets), whereas DCs presents no problem. The reason is 
that set intersection loses some information, whereas syntactic 
meets — i.e. disjunctions in the case of DCs — keep all the 
available information. (Take, for example, a hierarchy if such 
that p acts for q in if. In T, {p} n {q} = {p} n {q} = 0, 
although {q} \Z H {p}, so a more precise lower bound for 
{p} and {q} is {q} when they are considered under if.) 
Fortunately, there is a generic way to recover the joins or 



meets that disappeared while adding principal hierarchies. 
Given a preorder (X, C), we can define the join- and meet- 
completion of C, written C u and C n . These restore the 
accuracy of joins or meets by adding new points in the 
preorder structure as needed. Informally, the meet-completed 
preorder introduces new points that represent a syntactic n-ary 
meets of points. Formally, C n is the relation on V^ n (X) such 
that Li C n L 2 = V/ 2 S L 2 ,3k G L\,l\ C l 2 . Meet is just set 
union: {li, ...,/„} literally represents the meet of Zi , . . . , l n . 
If X has joins, then the join in the meet-completed preorder 
is defined as follows: L 1 U n L 2 = {h^h | li £ Li, l 2 € L 2 }. 
Meet-completion does not change the accuracy of joins: for 
Li and L 2 in X, {Li} U n {L 2 } = {L x U L 2 }. 

The definition of join-completion is dual to the one of meet- 
completion: join-completion adds syntactic n-ary joins to the 
set of points. The definitions of join- and meet-completions 
can be found in the Appendix. 

Adding acts-for to R and then performing join-completion 
leads to a label algebra. Similarly, meet-completing DLMs- 
H gives back a label algebra. 

Interestingly, T n and R u are isomorphic to DCs: the 
DC label model seems to be the simplest model that is 
an extension of the set-based models and that supports the 
addition of principal hierarchies. 

VIII. Related Work 

Sabelfeld and Sands [18] describe some aspects of 
declassification and what rules it should follow. One of 
them is conservativity: "Security for programs with no 
declassification is equivalent to noninterference". This rule 
corresponds to one of the axioms of label algebras, namely: 
C=C 0 , i.e. the bottom authority plays no role. Instantiat- 
ing Theorem III. 3 with the O-authority gives indeed non- 
interference for programs that do not declassify. 

Mantel and Sands [19] study intransitive non-interference, 
a security property of programs that perform declassification. 
They use PERs that rely on bisimulations of labeled transition 
systems: by definition, a strongly secure program is related 
to itself. This seems akin to our evaluation semantics, 
although they use a more intensional PER on programs. 
Like our A-calculus (§111), their language identifies which 
parts of the code perform declassification. Their small- 
step semantics is labeled with the authority that is used 
during reduction. (Keeping such a trace and using it in the 
evaluation semantics of labels is an interesting direction 
for future work for us.) Label algebras are not well suited 
to model intransitive policies, since the ordering on labels 
is required to be transitive. If we consider the transitive 
closures of the relations used by the authors, there seems to 
be only two authorities — no authority (_L) and declassification 
authority (T). The declassification relation (~»), which allows 
exceptional flows, is not required to be transitive, and neither 
is Cj_ U in general. In our notation, C T corresponds to 
the relation (CU ~^>) + . 



Paralocks [20] is a language for building statically ver- 
ifiable information-flow policies. It is based on locks that 
are guarded by policies in the form of Horn clauses, which 
form a pre-lattice. The authors prove that the DLM can be 
encoded into Paralocks by defining a function on labels that 
preserves and reflects the flows-to relation and commutes 
with joins and meets: ignoring authority and the default label, 
this is a label algebra injection. It is not clear whether they 
take authority into account. 

Jaume [21] compares the security policies induced by 
access control and by information flow analysis. For that 
purpose, he uses techniques that are similar to the ones we 
use. A security policy P is a triple of a set of security targets 
T, a set of configurations C, and a predicate \=C. C x T, 
where c |= t means that the target t is secure with respect 
to the configuration c. Assuming the policies Pi and P2 are 
defined over the same set of targets, Pi can be embedded 
into P 2 when Vci e Ci,3c 2 G C 2 ,Vi e T,ci |=i t » 
c 2 |=2 t. Policies over different sets of targets are studied by 
interpreting them into policies over the same targets. 

IX. Future Work 

This exploration of label algebras and embeddings is just 
a beginning. Ultimately, we would like to build an exhaustive 
map of all known label algebras along with the existence or 
absence of embeddings between every pair. However, even 
for the part of this map that we've completed so far, using 
a proof assistant has been more than just helpful — it was 
actually a necessity. For one thing, it helped us to come up 
with cleaner definitions (as formalization always does). More 
importantly, without machine checking we would not have 
trusted our proof of Theorem IV. 10, nor would we probably 
ever have been confident in the correctness of Figure 4. 
Formally verifying further embeddability results — especially 
among real-world label algebras — is a natural next step. 

Since it depends on the semantics of a programming 
language, the evaluation semantics from §IV is sensitive 
to the set of features of the language. It would be interesting 
to extend our language with first-class labels and authorities, 
and possibly imperative features, and see the implications 
on the characterization Theorem IV. 10. We conjecture that 
extending the language in a way that makes use of more 
features of label algebras leads to embeddings that need to 
preserve and reflect more aspects of label algebras. 

We would like also to experiment with different instances 
of the abstract label semantics: for example, our evaluation 
semantics could use a more semantic notion of program 
equivalence. We could also consider an information-flow 
type system for our language (i.e., one parameterized over 
label algebras) and then use the typability judgment to define 
a label semantics. 

Label algebras cannot currently describe systems that 
dynamically generate principals (and associated authorities 
and labels). We have defined an extension that deals with 



dynamicity, but a full exposition is beyond the scope of this 
paper. The extension relies on two ingredients: (1) standard 
techniques from nominal logics (permutation of principals, 
finite support, equivariance, etc.) for dealing with generation 
of fresh principal names, and (2) a pair of reification and 
reflection functions that define a syntactic representation 
of labels and authorities. We are currently studying the 
properties of evaluation embeddings for a language with 
these features. 
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Appendix 

Other operations on label algebras 

A. Meet completion 

Meet completion takes a preorder and gives a meet- 
prelattice. If the preorder has joins, its meet completion 
preserves them. 

£ n : Meet completion of C 

i 1 

Li C n L 2 = VZ 2 G L 2 ,3h e Li.ii CZ 2 

Li U n L 2 = {h u h \ h e Li, l 2 e L 2 } 

Li n n L 2 = Li U L 2 
I I 

A.l Lemma: Meet completion improves the accuracy of 
lower bounds: for any l,h,l 2 € C, such that I C l x and 
I Hl 2 , we have {1} Q n {h} n n {l 2 }. 

A. l Lemma: Assume £ is a join-prelattice. Meet com- 
pletion preserves joins: for any h,l 2 € C, {l\ U l 2 } = 
{/i}U n {/ 2 }. 

B. Join completion 

Join completion takes a preorder and gives a join-prelattice. 
If the preorder has meets, its join completion preserves them. 

C u : Join completion of C 

i 1 

£U _ pfin 

Li C U L 2 =V/i e L u 3l 2 g L 2 ,ii U2 

Li U u L 2 = Li U L 2 

Li n u L 2 = {Zi nl 2 \h£ L u l 2 G L 2 } 
1 1 



B.l Lemma: Join completion improves the accuracy of 
upper bounds: for any l,h,h <= £, such that l\ C I and 
h Ql, we have {h} U u {l 2 } C U {Z}. 

B.2 Lemma: Assume £ is a meet-prelattice. Join completion 
preserves meets: for any li,l 2 € C, {l\ fl l 2 } = {h} n u {Z 2 }. 



